18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
Size

39KB
MD5

1650d5467d7996adc5971dc6bba6e4c0
SHA1

68bbebb69eb7576b0d05532ff47c7aa65730b174
SHA256

18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2
SHA512

ffffc73f1f7d367992a56f91c19ccee742bd6af91e28c358df8c10de018f57dad302cac2c702c425ac83b9f631b401846881bfee5efeb1f9b7594f6dc3dd12dc
SSDEEP

768:W7BlpppARFbhjbhQYjY+WyKoIWbsHfySkT5GeQbyi348oWc1RPOzkjId6q8UdrSO:W7ZppApBMyKoIWbsHfySkT5GeCyi348F

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4620) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Input.Manipulations.resources.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\GRAY.pf.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libGLESv2.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Crashpad\metadata.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero2.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\wpfgfx_cor3.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.CoreLib.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\dicjp.bin.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\default.jfc.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe

C:\Users\Admin\AppData\Local\Temp\18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe
"C:\Users\Admin\AppData\Local\Temp\18d44bee18f009ae691d3924b305b163141b2528525e388a5bb614f6263396b2N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

Filesize
39KB

MD5
76251eeeaf75a0e96578484b82cccf7d

SHA1
b1e0b1d5c91576abbcef946771ca36f9f4b6fc43

SHA256
515076f2e95bd24ec09a463132b53887025dc7331032085cd549d477f9fdd04d

SHA512
2c2bb837d9bd2036f561a598339c1b35d3f6719e1584b9b54b83374bf608293bd8f9b9e18173532cdeefb8edb0d6ca6736e7a6dffe9b2ef923ee1179b019c883

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
138KB

MD5
c4289f9970cdcfd0bf154357b89f6d63

SHA1
0f72c7097a074e82b3755e82909d7881c7373ab6

SHA256
41843c8bead7e50ab6b6d24d294e2cc8c0cbd9bbec376c41920ad9074185fb4f

SHA512
3a61e49b4bccde9655e62e502baac5c029661910da5a51c14fb87e916755872cd05ea2e524e68b543859febf435c22865c697ff2e41a837a5ccedc7e511e9d86

Download Submit